-
Notifications
You must be signed in to change notification settings - Fork 863
fix: support source field in Constraints #2552
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
davis-haba
merged 13 commits into
open-policy-agent:master
from
davis-haba:expansion-fixes
Mar 22, 2023
Merged
Changes from all commits
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
7ac074f
autogenerate JSONSchemaProps for Match
davis-haba 1695876
e2e test for source field in Constraint
davis-haba f6680f0
fix linter
davis-haba aaf2df8
gofmt match schema CRD as part of make manifests
davis-haba 81cc0f8
delete whitespace at end of script
davis-haba f93cb1c
Merge branch 'master' into expansion-fixes
davis-haba af0cc31
extract embedded match crd in code
davis-haba 6cc4d62
Merge branch 'master' into expansion-fixes
davis-haba f94d95f
update match crd desc
davis-haba daaa257
exclude matchcrd_constant.go from linter
davis-haba 1fa364a
Merge branch 'master' into expansion-fixes
ritazh b740134
Merge branch 'master' into expansion-fixes
ritazh bf8f089
Merge branch 'master' into expansion-fixes
davis-haba File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,5 +1,7 @@ | ||
| run: | ||
| timeout: 5m | ||
| skip-files: | ||
| - pkg/target/matchcrd_constant.go | ||
|
|
||
| linters-settings: | ||
| gocritic: | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # This script builds a golang string constant containing the YAML code for the | ||
| # Match CRD. This is needed to auto generate the JSONSchemaProps for Match. It | ||
| # will parse the YAML for the Match CRD, found in $CRD_FILE, and output to | ||
| # $GO_FILE. | ||
|
|
||
| GO_FILE="./pkg/target/matchcrd_constant.go" | ||
| SRC_FILE="./pkg/mutation/match/match_types.go" | ||
| CRD_FILE="./config/crd/bases/match.gatekeeper.sh_matchcrd.yaml" | ||
|
|
||
| cat << EOF > ${GO_FILE} | ||
| package target | ||
|
|
||
| // DO NOT MODIFY THIS FILE DIRECTLY! | ||
| // This file is generated from $SRC_FILE via "make manifests". | ||
|
|
||
| const matchYAML = \` | ||
| EOF | ||
|
|
||
| # Escape backticks in the yaml, add terminating backtick | ||
| cat ${CRD_FILE} | sed "s/\`/\`+\"\`\"+\`/g" >> ${GO_FILE} | ||
| echo "\`" >> ${GO_FILE} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,209 @@ | ||
| --- | ||
| apiVersion: apiextensions.k8s.io/v1 | ||
| kind: CustomResourceDefinition | ||
| metadata: | ||
| annotations: | ||
| controller-gen.kubebuilder.io/version: v0.10.0 | ||
| creationTimestamp: null | ||
| name: matchcrd.match.gatekeeper.sh | ||
| spec: | ||
| group: match.gatekeeper.sh | ||
| names: | ||
| kind: DummyCRD | ||
| listKind: DummyCRDList | ||
| plural: matchcrd | ||
| singular: dummycrd | ||
| scope: Namespaced | ||
| versions: | ||
| - name: match | ||
| schema: | ||
| openAPIV3Schema: | ||
| description: DummyCRD is a "dummy" CRD to hold the Match object, which we | ||
| ultimately need to generate JSONSchemaProps. The TypeMeta and ObjectMeta | ||
| fields are required for controller-gen to generate the CRD. | ||
| properties: | ||
| apiVersion: | ||
| description: 'APIVersion defines the versioned schema of this representation | ||
| of an object. Servers should convert recognized schemas to the latest | ||
| internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||
| type: string | ||
| embeddedMatch: | ||
| description: Match selects which objects are in scope. | ||
| properties: | ||
| excludedNamespaces: | ||
| description: 'ExcludedNamespaces is a list of namespace names. If | ||
| defined, a constraint only applies to resources not in a listed | ||
| namespace. ExcludedNamespaces also supports a prefix or suffix based | ||
| glob. For example, `excludedNamespaces: [kube-*]` matches both | ||
| `kube-system` and `kube-public`, and `excludedNamespaces: [*-system]` | ||
| matches both `kube-system` and `gatekeeper-system`.' | ||
| items: | ||
| description: 'A string that supports globbing at its front or end. | ||
| Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" | ||
| will match "kube-system" or "gatekeeper-system". The asterisk | ||
| is required for wildcard matching.' | ||
| pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ | ||
| type: string | ||
| type: array | ||
| kinds: | ||
| items: | ||
| description: Kinds accepts a list of objects with apiGroups and | ||
| kinds fields that list the groups/kinds of objects to which the | ||
| mutation will apply. If multiple groups/kinds objects are specified, | ||
| only one match is needed for the resource to be in scope. | ||
| properties: | ||
| apiGroups: | ||
| description: APIGroups is the API groups the resources belong | ||
| to. '*' is all groups. If '*' is present, the length of the | ||
| slice must be one. Required. | ||
| items: | ||
| type: string | ||
| type: array | ||
| kinds: | ||
| items: | ||
| type: string | ||
| type: array | ||
| type: object | ||
| type: array | ||
| labelSelector: | ||
| description: 'LabelSelector is the combination of two optional fields: | ||
| `matchLabels` and `matchExpressions`. These two fields provide | ||
| different methods of selecting or excluding k8s objects based on | ||
| the label keys and values included in object metadata. All selection | ||
| expressions from both sections are ANDed to determine if an object | ||
| meets the cumulative requirements of the selector.' | ||
| properties: | ||
| matchExpressions: | ||
| description: matchExpressions is a list of label selector requirements. | ||
| The requirements are ANDed. | ||
| items: | ||
| description: A label selector requirement is a selector that | ||
| contains values, a key, and an operator that relates the key | ||
| and values. | ||
| properties: | ||
| key: | ||
| description: key is the label key that the selector applies | ||
| to. | ||
| type: string | ||
| operator: | ||
| description: operator represents a key's relationship to | ||
| a set of values. Valid operators are In, NotIn, Exists | ||
| and DoesNotExist. | ||
| type: string | ||
| values: | ||
| description: values is an array of string values. If the | ||
| operator is In or NotIn, the values array must be non-empty. | ||
| If the operator is Exists or DoesNotExist, the values | ||
| array must be empty. This array is replaced during a strategic | ||
| merge patch. | ||
| items: | ||
| type: string | ||
| type: array | ||
| required: | ||
| - key | ||
| - operator | ||
| type: object | ||
| type: array | ||
| matchLabels: | ||
| additionalProperties: | ||
| type: string | ||
| description: matchLabels is a map of {key,value} pairs. A single | ||
| {key,value} in the matchLabels map is equivalent to an element | ||
| of matchExpressions, whose key field is "key", the operator | ||
| is "In", and the values array contains only "value". The requirements | ||
| are ANDed. | ||
| type: object | ||
| type: object | ||
| name: | ||
| description: 'Name is the name of an object. If defined, it will | ||
| match against objects with the specified name. Name also supports | ||
| a prefix or suffix glob. For example, `name: pod-*` would match | ||
| both `pod-a` and `pod-b`, and `name: *-pod` would match both `a-pod` | ||
| and `b-pod`.' | ||
| pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ | ||
| type: string | ||
| namespaceSelector: | ||
| description: NamespaceSelector is a label selector against an object's | ||
| containing namespace or the object itself, if the object is a namespace. | ||
| properties: | ||
| matchExpressions: | ||
| description: matchExpressions is a list of label selector requirements. | ||
| The requirements are ANDed. | ||
| items: | ||
| description: A label selector requirement is a selector that | ||
| contains values, a key, and an operator that relates the key | ||
| and values. | ||
| properties: | ||
| key: | ||
| description: key is the label key that the selector applies | ||
| to. | ||
| type: string | ||
| operator: | ||
| description: operator represents a key's relationship to | ||
| a set of values. Valid operators are In, NotIn, Exists | ||
| and DoesNotExist. | ||
| type: string | ||
| values: | ||
| description: values is an array of string values. If the | ||
| operator is In or NotIn, the values array must be non-empty. | ||
| If the operator is Exists or DoesNotExist, the values | ||
| array must be empty. This array is replaced during a strategic | ||
| merge patch. | ||
| items: | ||
| type: string | ||
| type: array | ||
| required: | ||
| - key | ||
| - operator | ||
| type: object | ||
| type: array | ||
| matchLabels: | ||
| additionalProperties: | ||
| type: string | ||
| description: matchLabels is a map of {key,value} pairs. A single | ||
| {key,value} in the matchLabels map is equivalent to an element | ||
| of matchExpressions, whose key field is "key", the operator | ||
| is "In", and the values array contains only "value". The requirements | ||
| are ANDed. | ||
| type: object | ||
| type: object | ||
| namespaces: | ||
| description: 'Namespaces is a list of namespace names. If defined, | ||
| a constraint only applies to resources in a listed namespace. Namespaces | ||
| also supports a prefix or suffix based glob. For example, `namespaces: | ||
| [kube-*]` matches both `kube-system` and `kube-public`, and `namespaces: | ||
| [*-system]` matches both `kube-system` and `gatekeeper-system`.' | ||
| items: | ||
| description: 'A string that supports globbing at its front or end. | ||
| Ex: "kube-*" will match "kube-system" or "kube-public", "*-system" | ||
| will match "kube-system" or "gatekeeper-system". The asterisk | ||
| is required for wildcard matching.' | ||
| pattern: ^(\*|\*-)?[a-z0-9]([-a-z0-9]*[a-z0-9])?(\*|-\*)?$ | ||
| type: string | ||
| type: array | ||
| scope: | ||
| description: Scope determines if cluster-scoped and/or namespaced-scoped | ||
| resources are matched. Accepts `*`, `Cluster`, or `Namespaced`. | ||
| (defaults to `*`) | ||
| type: string | ||
| source: | ||
| description: Source determines whether generated or original resources | ||
| are matched. Accepts `Generated`|`Original`|`All` (defaults to `All`). | ||
| A value of `Generated` will only match generated resources, while | ||
| `Original` will only match regular resources. | ||
| enum: | ||
| - All | ||
| - Generated | ||
| - Original | ||
| type: string | ||
| type: object | ||
| kind: | ||
| description: 'Kind is a string value representing the REST resource this | ||
| object represents. Servers may infer this from the endpoint the client | ||
| submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||
| type: string | ||
| metadataDummy: | ||
| type: object | ||
| type: object | ||
| served: true | ||
| storage: true |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.